Posted
by
BeauHDon Tuesday May 08, 2018 @11:30PM
from the case-dismissed dept.

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

His hard drives contain sensitive info that may preclude him from ever getting them back.Hopefully his other family members get their computers back.

Hmm sensitive info.. like pron?:-)

It is kind of sad though that the use of something like wget and a very simple script was suddently considered hacking in Canada... How can they even seize his hardware and THEN decide it was NOT hacking?

But then again, we had a similar case in Europe... they did not seize hardware prematurely though... to my amazement, the court DID acknowledge that altering URL's even with a script is not hacking, despite a very poor politic IT history:-)...actually the company behind

Like data pertaining to individuals that should not have been published on the site and to which he should not have access.

How can they even seize his hardware and THEN decide it was NOT hacking?

You do not seize hardware after a court case. You seize it to discover evidence that would influence a decision to prosecute. If the decision to prosecute is made, the evidence is then presented at the court case.

On this occasion the decision was made to not prosecute. Shitty situation for the innocent party, but still a reasonable sequence of actions.

On this occasion the decision was made to not prosecute. Shitty situation for the innocent party, but still a reasonable sequence of actions.

The big problem is that we have so many bullshit laws that so many people are getting busted for violating them that your right to a speedy trial might as well not exist. The only trials which are ever resolved at all quickly are those in which there is significant public interest, and even some of those drag on interminably.

Who the hell cares about his intent? He downloaded information mistakenly posted to a publicly available system. Unless he's trying to sell state secrets to the Russians, which still doesn't criminalize the act of downloading the stuff, there's absolutely nothing he's done wrong. To say otherwise is to say you can criminalize viewing information that the government posts on billboards by the highway if the government mistakenly puts up the wrong information on the billboards.

Intent is an important part of many laws. For example, it is entirely legal to carry lock-picking tools, but if you carry them with the intent of committing a crime (or even merely have them while committing a crime), that is illegal. I don't know the specifics of Canadian law, but presumably intent is an important aspect of the particular hacking law he was accused of breaking.

In America, if you use someone else's computer in any way with the intent to hack, even just typing a simple sql exploit into your browser URL bar, then you've committed a crime.

Officer: Sarge, I just stopped a guy for speeding, and he admitted that he intended to speed even after he read the 40 mph sign at our bottleneck/speed trap on I-5.

Desk Sargent: Cut his license and drive him to the Precinct. I'll book him on charges of reading a road sign with malice aforethought. Make sure you read him his rights, and then ask him if he was having criminal thoughts when you read him his rights. Maybe we can get a daily double out of this one!

Some laws have intent written into them specifically. If there is a law that says, "If you intend to commit a crime when reading a public road sign, that is against the law," then doing so is a crime, but there is no such law.

In America, the Computer Fraud and Abuse act includes such language: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

"knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

It is as if you walk on the grass in a public park where it is allowed and then be arrested because you walked on all of the grass over time, walking back and forth.

So even if he did it to sell it to the Russians and had any intend to sell it, that does not make it illegal.

I have done a simmilar thing in the past where a friend asked me to rip a website so he would have info on companies, so he could sell his product to those companies by knowing how much they needed.This was public available information. All I did was automate the process instead of him going through it page by page. Got a few beers out of it.

But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

He was in Canada, so you will have to look up the exact wording of the law in Canada.

It's more like a sign saying "take this path through the grass" and you actually take another path that was accessible but not supposed to be available and wasn't advertised as being a path through the grass.

I think the point is - intent is meaningless if you don't actually break the law.

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security." Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security," (as trivial as this was to do), and in doing so breached the privacy of victims who, notwithstanding the negligence of the public authority, had through no act of their own been so exposed.

The provision under which he was charged was s342.1 of the Criminal Code (R.S.C., 1985, c. C-46) which begins:

Unauthorized use of computer

342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c)...... computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur)...

For the purposes of the provision "computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur),"

The question is not whether he accessed the information indirectly (hacked|cracked), or directly, the question is whether in breaching the privacy of individuals he acted "without colour of right" and "fraudulently." It is the requirement to demonstrate that his behaviour crossed the threshold of fraud, I would image, that poses the largest hurdle to a conviction in this case, but then I am not a Canadian lawyer.

Nonetheless, there is at least a prima facie case that he did break the law, and thus intent is, contra OP, becomes a material consideration.

what if you do have criminal intent when you read the public road signs?

Much of traffic law is governed, the common law world over, and for obvious reasons, by what we call strict liability offences, which is to say offences for which the state is relieved of its ordinary burden to establish intent in criminal cases. These are the exception to the rule that a crime, (in contradistinction to a tort etc.) consists of the combination of the actus reus and the mens rea. Strict liability is necessary evil (from the PoV of the democratic rights-based state) and ought to be both a rare exception as also restricted to crimes where it is both a) impracticable to establish intent (eg. particular traffic offences) and where the punishment available to the state are relatively minor (eg. fines as opposed to custodial sentences).

In any case, there is nothing in s342.1 (1) which explicitly obviates the need to demonstrate intent. So this is not relevant here.

Now I would have thought the requisite intent was simply to "obtain a computer service" (i.e. access the data), which his script amply evidences. And remember intent does not require knowledge that an act is criminal. But perhaps there is clear authority to that point and the police are acting on that precedent. Otherwise it should not, in a case where intent (but for some point of law) seems clear, be for the police, but rather for the courts to determine both whether the requisite act and intent are present.

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

Exactly. That’s why IIRC our (Dutch) laws explicitly state this in their definition of “secured”. It’s the same as trespassing on private property that looks like it might be public, has no gate, and no “private property” sign. Not punishable.

The Dutch law also sees uncrypted emails as "postcards" in such that is it unreasonable to expect security from it and it is to be expected that others will (not can) read them.Encrypted ones are more like a letter in a sealed envelope, where opening them is clearly breaking the law.Reading a postcard not addressed to you? OK.Opening a letter not addressed to you? You are now a criminal.

There's even a direct equivalent in law in the USA: Trespassing vs. Criminal Trespassing (with intent) vs. Breaking and Entering — the latter requires defeating a security device, however trivial. If you walk up to someone's front door and open it and go inside just to have a look around, that may not even be a crime. In some places, a sign saying "no trespassing" is not particularly legally significant. But once you've been notified that you're trespassing, you're definitely trespassing. If your goal

I don't know how "security" is actually defined under the relevant law

As you can see the word 'security' does not appear in the clauses I quoted, (nor, fyi, anywhere else in the operative clauses of this provision). Consequently any defintion of 'security' would be of no legal effect. Unsurprisingly 'security' does not appear in among the defintiions in the provision.

The crime here is committed in "obtain[ing], directly or indirectly, any "computer service" (or in causing a function of that system to be

Fraud is taking by deceptive, dishonest means. Therefore intent to deceive, intent to be dishonest, comes into play.

OK, point taken, it may have been fraudulent intent that the prosecution meant when they announced the case was being dropped for lack of intent. My concern about making out fraud was more basic, where is the deception intended or otherwise, but I don't know, what constitutes fraud in Canada may differ from what constitutes fraud in my jurisdiction.

Actually, what he did was walked down a sidewalk that appeared to be open to the public. It is a reasonable assumption that a resource accessible by simple URL is intended to be made available to the general public to view. If that's not the case, there's no reasonable way he could have known that, and his presumption that it was intended to be open to the public was entirely reasonable, just like a pedestrian's presumption that they are allowed to walk along a publicly accessible sidewalk. If the sidewalk

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

That is a distinction without a difference. To riff on Arthur C Clarke's famous maxim, sufficiently bad security is indistinguishable from no security. The "security" in this case was so bad as to be effectively non-existent. I don't know exactly where you draw the line as a general proposition but it's pretty clear in this case that any claim that this was "secured" data utterly absurd.

You can see no difference between mistakenly posting to a deliberately non-secured service and purposely posting to a service with inffective security? You also missed the "insofar as this is relevant"...

it's pretty clear in this case that any claim that this was "secured" data utterly absurd

Who claimed that the data in this case was "secured," and why (with reference to the law I posted above) would tha

You can see no difference between mistakenly posting to a deliberately non-secured service and purposely posting to a service with inffective security? You also missed the "insofar as this is relevant"...

There is no difference because someone can access it without any indication that it is "secured". One could bypass the security without even realizing it was intended to be secure or that any laws were being violated.

You also missed the "insofar as this is relevant"...

I didn't miss it and I actually thought your post was rather good. I just disagree that there is any basis (legal or technical) to say this data was "secured". They may as well have posted the data on a billboard and then tried to

.. some years ago I was in Germany and was introduced to a German drinking superstition. If, when toasting, you look at your glass rather than looking the person with whom you're toasting in the eye, it means you will have "5 years of bad sex." To which I replied, "5 years of bad sex is better than 5 years of no sex at all."

There is no difference...

The original statement that the data "mistakenly posted to a publicly available system" is a clear misrep

Again, I'm not sure anyone said it was secured, it was certainly not adequately secured.

If it wasn't secured data then there is no basis for arresting the individual accessing the data. If it was secured data it was so badly secured as to not be secured and we are back to there being no basis for law enforcement to get involved. If this data was supposed to remain private the people who posted it to the internet without any meaningful security are the ones who should be speaking to a judge and retaining counsel.

As I wrote in another post, a deliberate attempt to circumvent a security feature may go to the issue of "fraudlently" obtaining. Apart from that it is difficult to see what relavance the concept of "security" has to this offence.

And my point is that once the "security" reaches are certain level of incompetenc

Fundamentally: circumvention of security is not an element of this offence as it has been drafted. (And for the record, I find this to be a peculiarly drafted law.) Perhaps you can point me to relevant curial authority which reads in that requirement? If not...

If it wasn't secured data then there is no basis for arresting the individual accessing the data.

Why not? He wasn't charged with accessing "secured data," he was charged with "obtaining" a "computer service" and doing so "fraudulently and wit

How bad does the security have to be, before you can legally assume they meant to grant full access?

If you have to use a URL other than that which given to you, either spelled out, or as an href, I doubt you will successfully be able to claim constructive authorisation to view the document behind that new URL, (where authorisation would usually be required). If you got desparate it might be worth a shot, but as the first line of defence I'd still challenge the idea that changing a URL is sufficient to co

There's a lot of legal things where a security device doesn't have to be good, but it does have to be noticeable. If a lock is sufficiently fragile that it opens on a slight bump, the door isn't locked. Typically, a security feature is legally there to tell people that they aren't allowed in.

The kid did the equivalent of look on a bulletin board in an arena/community center, and instead of tunnel-vision to the flyer he was told he could look at, looked 2 inches to the left.
He then asked someone else (his computer) to continue moving two inches to the left until there was no more 'bulletin board' to look at.
There was neither fraud nor lack of right, as it was posted on a public board.

That's why prosecutors dropped the case, as they knew it was the server-owner's (read: government's) fault,

Please spare us the corny, faulty analogies and stick to the facts of the case and the relevant law.

There was neither fraud nor lack of right

I disagree with the latter, I see no right or authorisation to access other people's private information. I do, however, tend agree with the former: trivially changing a URL to look at nearby page should not suffice to make out fraud. In any case, if either of these elements is not satisfied their case is gone.

Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security,"

The law should never treat security by obscurity as "security." Punishing somebody because somebody else was stupid is beyond wrong.

looked at from one way, yes, secret knowledge is a form of obscurity. However, that's not how the term is typically used in terms of computer security. A formal definition would be useful:) I think a first cut might be "if getting to the information requires knowledge of a secret that is closely held (like a password) it's not just obscurity. If it requires knowledge of a secret that's embedded in widely distributed and easily accessible code (like a default password in plaintext in firmware/accessible sou

You can see the law spelled out above. Where does it say anything about "security?"

Punishing somebody because somebody else was stupid is beyond wrong.

This isn't about what happens in anyone's personal opinon to be "beyond wrong." It's about whether the accused comitted an offence under 342.1 of the Criminal Code. Evidently the prosecutors decided they could not prove he did.

The individual used the public interface to the web site in a manner which the public interface was intended by the originators of that interface to be used. Altering a URL by editing the address line was anticipated by the protocol and is supported by practically every available client implementation of applications that support the protocol. It isn't "hacking" (whatever that is) to use an application in the manner in which it was intended to be used. The government's action in publishing the FOIA info

The individual used the public interface to the web site in a manner which the public interface was intended by the originators of that interface to be used.

No, obviously not by the authors of that particular interface, (in contradistinction to the general protocol perhaps). The designers of that interface evidently though it sufficient to give each applicant a specific URL which they were to use to access only the information they were entitled to see. It almost goes without saying that they failed ev

so traffic tickets is a committing a crime and they can use that to get you for just having them? Good thing we have the NRA to stop any BS like with guns. So bad we don't have the same power for tech stuff.

I think the 2014 Bundy Standoff showed that the government is very much afraid of its armed citizens. The government has nothing to fear from one armed individual. It's the other ~50 million that hold the government to account and help ensure we maintain a restrained, Constitutional republic. All the people scared of President Trump should be thankful all those armed people (including police officers and members of the US military) will never allow him to become a king, no matter how much he might like that

Whether you choose to accept it or not, the NRA represents a significant block of grassroots voters.

The NRA represents gun industry interests under the guise of pretending to be a grassroots interest organization. This didn't used to be true but it is unquestionably true today. While it is true that there is a large block of voters who are members and who care strongly about 2nd amendment rights, the NRA is only indirectly represents their voice on the issue at this point. The organization has been co-opted by corporations to advocate primarily for them. Whether you think this is a good or bad thing I leave up to you but don't be mislead into misunderstanding where the money in the NRA comes from or what strings are attached.

It is entirely funded by its members and represents a large voting block.

The NRA is decidedly NOT "entirely funded by its members". Significantly less than half of the NRA's money comes from program fees and membership dues. This is not conjecture - it is a known fact. Most of the NRA revenue comes from corporations with financial interests in selling firearms and related products. The NRA is de-facto the lobbying organization for the gun industry. It hasn't been a grassroots organization for several decades though it pretends to be one as there is political value in maintaining that fig leaf of a lie. Sort of like the NCAA pretending to care about "amateurism" and "student athletes" while they rake in literally billions in revenue for the colleges.

This. Not only intent, but also discretion. As a practical matter, we've known for centuries that democracies overcriminalize because it is in the interests of legislators to never be blamed for letting a bad person out of jail. Thus the justice system depends on the discretion of police officers not to punish every innocent mistake and the discretion of prosecutors not to prosecute when it's too counterproductive or unfair. This doesn't always work, of course, but it's a huge part of criminal justice.

As a practical matter, we've known for centuries that democracies overcriminalize because it is in the interests of legislators to never be blamed for letting a bad person out of jail.

Uh, no. "Innocent until proven guilty" by definition means that guilty people WILL walk free. The fact that this is seen as such in the US is unrelated to other democracies.I am sure that every country has plenty of cases where they KNEW who the guilty where and still let them go, because of the due process. e.g. letting p

Read it literally, and it doesn't require you to be the original leaker of the information. Because you are knowingly and willingly communicating the still classified information to an unauthorized person.

Which is kind of besides the point, since the particular example doesn't matter much.

What you're saying is true, but what I think the previous poster was referring to was mens rea [wikipedia.org] vs. actus rea [wikipedia.org]. When the police say they dropped charges because they didn't believe there was intent to commit a crime, they are suggesting there was indeed actus rea, but there was no mens rea. What the GP is suggesting, I think, is that there was neither actus rea nor mens rea, and I agree.

Once it was on a public server, without any posted or recognizable warnings, the kid has a pretty solid defense of innocence. If there is some real security breach involved, then they should inform him politely and perhaps firmly, and ask/demand their secret info back (if it still matters).

This completely ignores the point that the kid downloaded publicly available documents from a publicly available web server which under normal circumstances and when operating as intended did not restrict access to said documents.

In short, he did not violate any law, therefore there is no reason to assess "intent". They're still trying to cover their asses for having uploaded sensitive documents to a public webserver, and using some kid as a sacrificial lamb to do it is not okay.

Some of the laws are pretty unclear. Presumably they'll get corrected somehow (in the US, either by legislative action or case law). Also presumably, more situations will develop that laws don't adequately cover.

Further to another poster's comment, intent is almost everywhere in laws. Even look at the more grievous ones (in a simplified nutshell):

1st Degree Murder: I killed someone. I intended to do it. I planned it out in advance.2nd Degree Murder: I killed someone. I intended to do it. I didn't really plan to however.Manslaughter: I killed someone. I didn't intend to do it, but through my negligence it happened. I didn't really plan to either.

So a pretty big difference, not only in charge, but in possible punish

If it's on a public facing server it's "fair game", whether it's supposed to be or not.

And "did not have intent to commit a criminal offense" -- maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go -- and then let's update all the knowledge of the people who thought he did so this doesn't happen again. (Tech AND Legal.)

I don't necessarily mind misteaks:-), but not for a second time. (And can you imagine -- the police arresting you just for accessing a public website?)

Sounds like he broke the law: "I don't like what you're doing." Where is that one written down anywhere? Or is this the "Nice place you've got here, shame if something..." law?

James Comey specifically stated that Hilliary was not prosecuted because "she had no intent to break the law." So intent and mind reading do play a role in what laughingly passes for police work in the US Federal Bureau of Investigation.

He's got plenty of company there. The 7th floor is full of them. Congress has been content to let them abuse their power for decades and now they've gotten to the point where they feel they are entitled to act as they see fit regardless of any rules or laws. I blame Congress for all of this, it's their damn job to oversee these agencies and to reign them in. That's what they are there for.

Intent, specifically Mens rea [wikipedia.org] is an important part of the legal system.

Although what he ultimately did was illegal (obtained unredacted state secrets). He was not originally trying to obtain state secrets, nor could he have reasonably thought that what he was doing would lead to him obtaining state secrets. He had no reason to believe that the information he was able to access via that website, whether he did it via hyperlink or via a script as described in the original article would be anything other than

Not just that it was public facing: If it was the FOI website, wasn't that the entire point of the server? To provide these documents to citizens? The only minor issue I could see was if he didn't set a reasonable refresh time on scraping documents and was hammering the server, thereby causing troubles for other users.

maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law."

It depends on precisely what you are ignorant of. "ignorance of the law is no excuse" is usually how it's phrased, IIRC, which strikes closer to the truth because it's about being ignorant of *the law*, not ignorant of *the facts*.

Generally in criminal law (at least in the US), a mistake of law ("I did not think it was illegal to do X") will not excuse a crime, but a mistake of fact ("I did not think I was doing X") can sometimes negate a required element of the crime. So if you take a pen knowing it belong

No it's not.... I don't agree with it, but just accessing information not intended for you is illegal in some jurisdictions. The outcome of those cases is very similar to what happens when you hit someone with your car. Did you accidentally bump into them? Did you attempt to murder them?

- public servant needs to get info to citizen
- servant leaves a box of papers on the sidewalk for the citizen to pick up later
- trash/recycle man comes by and takes box
- gov't decides this was important personal info and the trashman is arrested for theft, etc.
- why the fuck isn't the dumbfuck entity that puts shit on the sidewalk as a normal course of business not on the hook?!?

If it's on a public facing server it's "fair game", whether it's supposed to be or not.

Exactly this. If the government wants to go after someone, go after the person who uploaded the non-redacted documents to the public server. That's where the problem occurred, not with the kid whose script to access public documents also pulled documents that shouldn't have been there.

"If it's on a public facing server it's "fair game", whether it's supposed to be or not."

I don't think that is really the case, though that could be that the above comment could be interpreted differently.

Just because it is on a public facing server doesn't make it fair game. I think in this particular case what was wrong was that they didn't make a reasonable effort to keep it secure, and it was also reasonable to assume that as a result the individual didn't realize they were doing anything wrong as a res

Additionally, once the police are involved, they gotta do what they gotta do until the investigation is done.

Pretty sure once the police (and crown lawyers) finished finding out what had occurred, they were pretty unimpressed with the NS government, and were like "uh huh".

As mentioned in the previous article, if there is any legal action here it is more likely going to be in the form of civil suits from either the kid, or those individuals who's information was released by the negligence of having what amou

The legal profession adopted a saying which goes all the way back to ancient Greece [circa 4th Century BC]:-

"The wheels of justice turn slowly, but they grind exceedingly fine..."

Meaning that although changes to the law and the framework of justice might take a while to be developed, once done, the result tends to be pretty comprehensive. Of course, this means that there is a dynamic tension between "Justice" (which moves slowly) and anything which is dynamic and develops quickly.

The problem is that some of the laws governing use of computers - such as the above - have been written so broadly, with such vague definitions, that a prosecutor given the facts of this case, could pretty much decide whether or not to prosecute based on how they feel that day.

As per the description in the linked Wikipedia article, take a look at "Criminal Offenses under the Act" and consider (a)(1) and (a)(2), both of which c

That's just it - he didn't. It sounds like the server was intended to be used by making a specific request for documents, and then receiving links to those "approved" documents that satisfied the request. He bypassed that interface to download all the documents directly, and in doing so bypassed the "approved document" screening.

Of course that speaks of a "security" system so weak as to be unworthy of the name, but the fact that internal components

Typically, a security system has to be strong enough so that someone's aware of breaking it. I'd suggest that a security system you can break without trying is no security system. It's possible to mistype a URL, so a system based on URLs for security doesn't count. A login that's easily cracked, or enforces bad passwords, requires an intruder to bypass the login mechanism or type a password, so that would count.

> did not have intent to commit a criminal offense by accessing the information,

When the computer hacking laws were introduced, that was one of the drawbacks: Intent does not matter, for the law. So in this case, it is just the law enforcement being nice in not pursuing the case while they are convinced there was no intent.

When the computer hacking laws were introduced, that was one of the drawbacks: Intent does not matter, for the law. So in this case, it is just the law enforcement being nice in not pursuing the case while they are convinced there was no intent.

Why is noone interested in why the non-redacted data was there publicly available in the first place? It seems a far more relevant topic to me than whether or not someone accessing it is in the right or wrond. If anyone should be sanctioned, it should be those people or the agency which publicized the private data to begin with.

TranscriptNarrator: Dogbert The Reporter. Dogbert: How did hackers get access to your customer data? CEO: I'm told they used something called "our A.P.I." to suck out all the data. Dogbert: I'll just say you'er stupid. CEO: Why does everyone always say that?

So first off, yeah, overall this is a good thing. I don't think the kid deserved to be charged at all and it was a case of grossly mishandling private information, what little there was. The FOIA content itself really ought to be public anyway.

But this is a real kick in the pants for the rule of law. It's "high profile", so the cops won't touch it? It means you really need to go to the press and get people angry about issues and get them to mail officials. Bitching and moaning and mob rule is the new rule.